b'September 10, 2004\n\n\n\nMr. Walter Stachnik\nUnited States Securities and Exchange Commission\nOffice of the Inspector General\n450 Fifth Street, NW\nWashington, DC 20549\n\nMr. Stachnik:\n\nI am pleased to submit the attached Fiscal Year 2004 Federal Information Security Management\nAct (FISMA) executive summary report. This report provides the United States Securities and\nExchange Commission (SEC), Office of Inspector General (OIG), with responses to Office of\nManagement and Budget (OMB) Memorandum M-04-25, FY 2004 Reporting Instructions for the\nFederal Information Security Management Act.\n\nFISMA requires OIGs to complete an annual review of agency security program and practices\nand to report the results of its evaluation. To assist agencies in fulfilling their FISMA evaluation\nand reporting responsibilities, OMB issued the above-mentioned memorandum that provides a\nconsistent form and format for agencies to report back to OMB. We completed our responses\nprimarily based on our subsequent review of documentation supporting the entity-wide security\nprogram and review of agency Plans of Action and Milestones. Also, we coordinated with SEC\nmanagement in preparing the responses and appreciate their cooperation in this effort.\n\nWe value your feedback and would appreciate your comments on the enclosed work and the\nservices provided. Should you have any questions or concerns, please do not hesitate to contact\nme at 703.836.6701.\n\nVery truly yours,\n\nCOTTON & COMPANY LLP\n\n\n\nLoren F. Schwartz, CPA, CISA\nPartner\n\nEnclosures\n\x0c____________________________________\nFederal Information Security Management Act\nFY 2004 Executive Summary Report\n\nU.S. Securities and Exchange Commission\nOffice of Inspector General\nSeptember 10, 2004\n\n____________________________________\n\n\n\n\n                                 Prepared by Cotton & Company LLP\n                                             333 North Fairfax Street\n                                          Alexandria, Virginia 22314\n\n                                     Contract No. SECHQ1-03-D-0175\n                                                  Task Order No. 0002\n\x0c                 FEDERAL INFORMATION SECURITY MANAGEMENT ACT\n\n                          FY 2004 EXECUTIVE SUMMARY REPORT\n\nThe Office of Inspector General (OIG) of the Securities and Exchange Commission (SEC) engaged\nCotton & Company LLP to conduct an independent evaluation of its information systems and security\nprogram and controls for compliance with the Federal Information Security Management Act (FISMA),\nTitle III of the E-Government Act of 2002. This report discusses the effectiveness of information system\ncontrols to protect and secure SEC\xe2\x80\x99s information technology infrastructure and assets.\n\nFEDERAL INFORMATION SECURITY MANAGEMENT ACT\n\nEvery agency shares the responsibility to secure the federal government\xe2\x80\x99s information and information\nsystems. Administration policy requires federal agencies to take a risk-based cost-effective approach to\nsecure all information and systems, identify and resolve current IT security weaknesses and risks, as well\nas protect against future vulnerabilities and threats.\n\nOn December 17, 2002, the President signed into law the E-Government Act (Public Law 107-347),\nwhich includes Title III, Information Security. FISMA permanently reauthorized the framework laid out\nin the Government Information Security Reform Act of 2000 (GISRA), which expired in November\n2002. FISMA continues annual review and reporting requirements introduced in GISRA. In addition,\nFISMA includes new provisions aimed at further strengthening the security of the federal government\xe2\x80\x99s\ninformation and information systems, such as development of minimum standards for agency systems. In\ngeneral, FISMA:\n\n        \xe2\x80\xa2       Lays out a framework for annual information technology security reviews, reporting, and\n                remediation planning/\n\n        \xe2\x80\xa2       Codifies existing OMB security policies, including those specified in Circular A-130,\n                Management of Federal Information Resources, and Appendix III.\n\n        \xe2\x80\xa2       Reiterates security responsibilities outlined in the Computer Security Act of 1987,\n                Paperwork Reduction Act of 1995, and Clinger-Cohen Act of 1996.\n\nUnder this framework, the federal government is able to objectively measure IT security progress and\nremaining problems. This information is essential to ensuring that priorities are placed on remediation\nefforts and IT resources, resulting in the timely resolution of IT security weaknesses.\n\nOMB issued Memorandum M-04-25, FY 2004 Reporting Instructions for the Federal Information\nSecurity Management Act, on August 23, 2004. This guidance provides clarification to agencies for\nimplementing, meeting, and reporting FISMA requirements to OMB and Congress. POA&M reports to\nOMB\xe2\x80\x94provided quarterly beginning January 31, 2002\xe2\x80\x94are intended to assist the agency in identifying,\nassessing, prioritizing, and monitoring its progress in correcting security weaknesses in programs and\nsystems.\n\n\n\n\n                                                     1\n\x0cSECURITIES AND EXCHANGE COMMISSION\n\nCongress established SEC in 1934 to enforce the Securities Act of 1933 and the Securities Exchange Act\nof 1934 and to promote stability in the markets and to protect investors. The primary mission of SEC\ntoday is still to protect investors and maintain the integrity of the securities markets.\n\nSEC is comprised of five Presidentially-appointed Commissioners, four divisions, and 18 offices and\napproximately 3,100 staff. SEC\xe2\x80\x99s four divisions are consistent with its organizational structure:\n\n        Division of Corporate Finance: Oversees corporate disclosures of important information to the\n        investing public.\n\n        Division of Market Regulation: Establishes and maintains standards for fair, orderly, and\n        efficient markets.\n\n        Division of Investment Management: Oversees and regulates the investment management\n        industry and administers securities laws affecting investment companies and investment advisers.\n\n        Division of Enforcement: Investigates possible violations of securities laws and recommends\n        Commission action when appropriate.\n\nSCOPE AND METHODOLOGY\n\nAs discussed in OMB Memorandum M-04-25, within the context of FISMA, an evaluation is\ncontemplated rather than an audit. Our review was not intended to result in the issuance of an opinion\nand we therefore do not issue an opinion as defined by the American Institute of Certified Public\nAccountants. Our review objective was to assist the OIG in performing an independent evaluation of\nSEC\xe2\x80\x99s information security policies and procedures for compliance with FISMA and federal regulations\nand standards and to evaluate SEC\xe2\x80\x99s efforts to:\n\n        \xe2\x80\xa2       Meet its responsibilities under FISMA.\n\n        \xe2\x80\xa2       Implement plans of actions and milestones.\n\n        \xe2\x80\xa2       Provide sufficient supporting evidence of SEC\xe2\x80\x99s security program to enable OIG to\n                complete its reporting requirements to OMB.\n\nTo develop a response for each OMB question, we met with SEC officials and reviewed applicable\ndocumentation to develop an understanding of the SEC\xe2\x80\x99s entity-wide security program. Additionally, we\nreviewed the internal controls work and results of the most recent financial statement audit. These results,\nalthough still in draft, have been validated by SEC management. In doing our work, we reviewed a\nnumber of security components, including:\n\n\n\n\n                                                     2\n\x0c                1.       Security management structure.\n                2.       Risk management.\n                3.       System security planning.\n                4.       Certification and accreditation.\n                5.       Computer incident response capability.\n                6.       Contingency planning.\n                7.       Security awareness.\n                8.       Life cycle security.\n                9.       Personnel security.\n\nWe have provided quantitative and, where indicated, narrative responses to OMB questions. Responses to\nthese questions are based on a limited review of documentation provided by the client and interviews with\nkey management and personnel. We performed this work from July 13 through September 10, 2004.\n\nRESULTS\n\nIn the prior year, one material weakness and three significant deficiencies were identified. One significant\ndeficiency related to the lack of a Chief Information Officer. We would like to commend management for\nresolving this deficiency by appointing a new Chief Information Officer in January 2004. Additionally, a\nChief Security Officer was appointed in August 2004. During the year SEC\xe2\x80\x99s Certification and\nAccreditation process was initiated for 8 systems.\n\nThe material weakness and the two remaining significant deficiencies identified in the prior year, remain\nunresolved. The material weakness was reported in FY 2002 and related to weak security controls within\nthe financial management systems. The two significant deficiencies related to failure to maintain a Plan of\nActions and Milestones (POA&M) process, and IT security costs not being properly identified by project,\ntracked, and reported in SEC\xe2\x80\x99s Exhibits 53 and 300.\n\nIn addition to the material weakness and two remaining significant deficiencies reported last year, we are\nreporting four new significant deficiencies:\n\n1.      SEC is not substantially in compliance with OMB Circular A-130, Appendix III, Management of\n        Federal Information Resources. During the financial statement audit numerous findings were\n        issued. Such findings include not certifying and accrediting major systems and not creating\n        contingency plans for all major applications.\n\n2.      SEC is not substantially in compliance with FISMA requirements. Specifically we noted that\n        quarterly POA&M reports were not submitted to OMB.\n\n3.      SEC is not substantially in compliance with National Institute of Standards and Technology\n        (NIST) guidance. During the review, we noted that several findings were issued in draft as part of\n        the financial statement audit for non-compliance with standards.\n\n4.      SEC has not adequately addressed information security issues from prior years. Several\n        weaknesses at SEC identified in previous audits have not been resolved. Such weaknesses include\n        the ADP weakness that was first identified in 1989.\n\n\n\n\n                                                     3\n\x0cFISMA defines a significant deficiency as:\n\n                \xe2\x80\xa6a weakness in an agency\xe2\x80\x99s overall information systems security program or\n                management control structure, or within one or more information systems that\n                significantly restricts the capability of an agency to carry out its mission or\n                compromises the security of its information, information systems, personnel, or\n                other resources, operations, or assets.\n\nThe significant deficiencies enumerated above, may have existed in previous years and are being reported\nnow due to the detailed nature of the financial statement audit that was performed this year. This is the\nfirst time that a financial statement audit will be performed at SEC in-line with the Accountability of Tax\nDollars Act of 2002.\n\nFor each of these significant deficiencies, numerous system-specific weaknesses require management\xe2\x80\x99s\nattention. Before management can address these weaknesses, however, certain structures need to be in\nplace. These structures include:\n\n1.      A process for tracking and resolving identified weaknesses.\n\n2.      A process for performing annual systems reviews and completing certification and accreditations\n        for all systems.\n\n3.      A process for ensuring compliance with applicable information technology laws and regulations.\n\n4.      Security baseline configurations for systems.\n\n5.      A budgetary process that considers information technology security needs and incorporates the\n        POA&M process.\n\nThe reported material weakness and significant deficiencies listed above require senior management\xe2\x80\x99s\nimmediate attention to ensure that proper corrective action is taken to mitigate the potential for further\ndeficiencies; ensure compliance with OMB\xe2\x80\x99s FISMA reporting requirements, OMB Circular A-130, and\nNIST standards; and strengthen SEC\xe2\x80\x99s management of its information infrastructure.\n\n\n\n\n                                                     4\n\x0c'